Configuring Reports

Configuring Reports

Reports provide a summarization of the various activity and configuration of the deployed IDS sensors as well as the IDS Management Center itself. This is crucial when managing and monitoring an enterprise-wide deployment of IDS since it becomes impractical to query each IDS sensor manually in order to determine its status. The IDS Management Center can produce reports, known as audit reports, which provide information about network configuration activities managed with the Cisco IDS MC. These reports can be generated from the Reports tab of the Management Center for IDS Sensors page shown in Figure 10.9.

Additional reports are available from the Security Monitor. The Security Monitor is a closely related but separate product that receives real-time communications from the sensors. When the IDS Management Center and the Security Monitor are installed in the same host system, the audit report templates are shared between the two products.

Audit Reports

There are six types of audit reports available from the IDS Management Center:

  • The Subsystem Report

  • The Sensor Version Import Report

  • The Sensor Configuration Import Report

  • The Sensor Configuration Deployment Report

  • The Console Notification Report

  • The Audit Log Report

The following sections examine each report in detail.

The Subsystem Report

The Cisco Intrusion Detection System has many subsystems. These subsystems include the Management Center, the Security Monitor, and other subsystems. The Subsystem Report shows audit records separated and ordered by subsystem. The entries in the Subsystem Report can be filtered by event severity, date/time, and subsystem.

The Sensor Version Import Report

The IDS Management Center tracks the version identifier of each sensor. When the version identifier of a sensor is imported to the IDS MC, an audit record is generated. The audit record indicates the success or failure of the import operation. The entries in the Sensor Version Import Report can be filtered by device, event severity, and date/time.

The Sensor Configuration Import Report

IDS sensor configurations are often imported into the IDS Management Center for viewing or editing. Audit records are generated when this import operation is executed. The audit record indicates the success or failure of the import operation. The entries in the Sensor Configuration Import Report can be filtered by device, event severity, and date/time.

The Sensor Configuration Deployment Report

File configurations containing new settings are often deployed to the sensors. Audit records are generated when this deployment operation is executed. These records can indicate successful deployment or provide error messages. The entries in the Sensor Configuration Deployment Report can be filtered by device, event severity, and date/time.

The Console Notification Report

The IDS Notification subsystem generates console notification audit records. The entries in the Console Notification Report can be filtered by event severity and date/time.

The Audit Log Report

The Audit Log Report displays audit records by the IDS server and by the IDS application. This report template provides a broad, non-task-specific view of audit records in the database. The entries in the Audit Log Report can be filtered by task type, event severity, date/time, subsystem, and application.

Generating Reports

Reports can be generated immediately or scheduled at a later time. We can generate a report by starting from the IDS Management Center for IDS Sensors page and selecting the Reports tab. The resulting page is shown in Figure 10.34.

Click To expand
Figure 10.34: The Management Center for IDS Sensors Page

To generate a report, follow these steps:

  1. From the Reports page, select Generate.

  2. The Select Report page appears. Choose the type of report to generate and click Select.

  3. The Report Filtering page appears. Enter the report parameters for the report selected and click Next.

  4. The Schedule Report page appears. In the Report Title field, specify a name for the report. Select a radio button to schedule the report:

    • Run Now will generate the report immediately.

    • Schedule for Later will allow the specification of when the report will be generated, including the generation of reports on regular intervals.

  5. The Email Report To field allows the specification of an e-mail address of a report recipient. Click Finish.

  6. To view the reports scheduled for generation, from the Management Center for IDS Sensors page, select Reports | Scheduled.

Viewing Reports

To view a generated report, start from the Management Center for IDS Sensors page and do the following:

  1. Select Reports | View.

  2. The Choose Completed Report page appears. Check the box corresponding to the title of the report to view and click View.

Exporting Reports

To export a generated report to an HTML file, start from the Management Center for IDS Sensors page and perform the following steps:

  1. Select Reports | View.

  2. The Choose Completed Report page appears. Check the box corresponding to the title of the report you want to view and click Open in Window.

  3. Depending on the browser that appears, select File | Save As or Save File. Browse to the location where the file is to be saved, enter a file name and click Save.

Deleting Generated Reports

To delete a generated report, start from the "Management Center for IDS Sensors" page and do the following:

  1. Select Reports | View.

  2. The Choose Completed Report page appears. Check the boxes corresponding to the titles of the reports to delete and click Delete.

Editing Report Parameters

To edit the schedule for a report or the parameters for a scheduled report, start from the Management Center for IDS Sensors page and perform the following steps:

  1. Select Reports | Scheduled.

  2. The Edit Scheduled Reports page appears. Check the box corresponding to the title of the report template to edit and click Edit.

  3. A new page appears displaying the report parameters. Change any report parameter and click Finish.

Example of IDS Sensor Versions Report Generation

This section details the generation of an example report. Use the following procedure to generate and view reports:

  1. Select Reports | Generate to select the type of report to be generated from the Select Report page.

  2. In the Select Report page, choose one of the report types desired (as shown in Figure 10.35) and click Select.

    Click To expand
    Figure 10.35: The Select Report Page

  3. The next step is to schedule the report. In the Schedule Report page (shown in Figure 10.36), the report generation can be scheduled to occur immediately, with the Schedule Options | Run Now option, or for some later period (Schedule Options | Schedule for Later).

    Click To expand
    Figure 10.36: The Schedule Report Page

  4. Select the Finish button to generate the report.

  5. Once the report generation is complete, the report title will appear in the list of completed reports. Select the check box (or check boxes) of the report (or reports) to view, and then select View (as shown in Figure 10.37).

    Click To expand
    Figure 10.37: The Choose Completed Report Page

Security Monitor Reports

While the IDS Management Center can provide audit log reports, information about network activities detected by the IDS Sensors are usually provided by the Security Monitor. To access the Security Monitor from the CiscoWorks2000 Desktop, select the Monitoring Center and then the Security Monitor, as shown in Figure 10.38.

Click To expand
Figure 10.38: The Security Monitor

To access reports provided by the Security Monitor, select the Reports tab and then the View entry. This will bring up the Completed Reports menu, as shown in Figure 10.39.

Click To expand
Figure 10.39: The Security Monitor Completed Reports

To select a report for viewing, check the box next to the report and click the View button